A quantum approach to the hidden subgroup problem using group representations and automorphisms

A quantum approach to the hidden

subgroup problem using group

representations and automorphisms

Casper Gyurik

July 15, 2015

Bachelorthesis double bachelor Mathematics and Computer Science

Supervisor: prof. dr. Buhrman and prof. dr. Opdam

Korteweg-De Vries Institute for Mathematics Faculty of Sciences, Mathematics and Computer science

Abstract

The hidden subgroup problem is a fundamental problem in quantum computation. It has many interesting instances for which we do not yet have an efficient classical al-gorithm and want to find or have found an efficient quantum alal-gorithm. Examples of such instances are the discrete logarithm problem, prime factorization and the graph isomorphism problem. In this thesis we take a quantum computational approach to the hidden subgroup problem. We discuss an efficient algorithm for instances of the hidden subgroup problem in abelian groups stated in [4] and apply this algorithm to the dis-crete logarithm problem. There is no uniform algorithm for the non-abelian case yet. We discuss the approach taken by [4] which considers what happens when we apply the algorithm for the non-abelian case to the abelian case. By doing so, it turns out that we will be able to determine the part of the hidden subgroup that is invariant under conjugation, but we won’t be able to efficiently solve the graph isomorphism problem. Although the nonabelian case of the hidden subgroup problem remains open, we will discuss the approach taken by [5] which shows that in extraspecial groups, a class of al-most abelian groups, one can solve the hidden subgroup problem efficiently by exploiting clever automorphisms.

Title: A quantum approach to the hidden subgroup problem using group representations and automorphisms

Authors: Casper Gyurik, casper.gyurik@student.uva.nl, 10334149 Supervisor: prof. dr. Buhrman and prof. dr. Opdam

Date: July 15, 2015

Korteweg-De Vries Institute for Mathematics University of Amsterdam

Science Park 904, 1098 XH Amsterdam http://www.science.uva.nl/math

Contents

1. Introduction 5

2. The hidden subgroup problem 7

2.1. Problem statement . . . 7

2.2. Instances of the hidden subgroup problem . . . 8

2.2.1. The discrete logarithm . . . 8

2.2.2. Graph isomorphisms of rigid graphs . . . 9

3. Quantum approach to the hidden subgroup problem 12 3.1. A quantum experiment . . . 12

3.1.1. Probability distribution . . . 13

3.2. Constructing the normal core of the hidden subgroup . . . 15

3.2.1. Proof of correctness . . . 16

4. Application: the discrete logarithm problem 21 4.1. Determining probability distribution . . . 22

4.2. Finding the discrete logarithm . . . 23

4.3. Diffie-Hellman key exchange . . . 24

5. Application: the Graph isomorphism problem for rigid graphs 26 5.1. Distinguishing possible hidden subgroups . . . 26

6. The hidden subgroup problem in extraspecial groups 28 6.1. Extra special groups . . . 28

6.2. Quantum hiding procedure . . . 30

6.3. Reduction to hiding HZG . . . 30 6.4. The algorithm . . . 32 7. Conclusion 37 8. Populaire Sammenvatting 38 Bibliografie 40 A. Representation Theory 41 A.1. Basic notions of representation theory . . . 41

A.1.2. Representations . . . 41

A.1.3. Schur’s lemma . . . 42

A.2. Representations of finite groups: Basic results . . . 42

A.2.1. Characters . . . 43

A.2.2. Orthogonality of characters . . . 43

A.2.3. Orthogonality of Matrix elements . . . 44

A.2.4. Orthogonality of the second kind . . . 44

A.3. Representations of finite groups: Further results . . . 45

A.3.1. Representations of products . . . 45

A.3.2. Induced and Restricted representations . . . 45

A.3.3. Frobenius Reciprocity and Mackey’s irreduciblity criterion . . . . 46

B. Quantum computing 47 B.1. Qubits . . . 47

B.1.1. Multiple Qubits . . . 47

B.2. Measuring a qubit system . . . 48

B.2.1. The measurement axiom . . . 48

B.3. Quantum algorithms for the hidden subgroup problem . . . 49

C. The Fourier transform 50 C.1. Example: The Fourier-transform over CN . . . 51

1. Introduction

The main goal of quantum computers is to efficiently solve problems thought to be intractable for classical computers. Many of these problems, such as prime factorization and the discrete logarithm, can be formulated in terms of the so called hidden subgroup problem. For this reason, the hidden subgroup problem is an extensively researched keystone problem in quantum computation.

In the hidden subgroup problem we are given a function f on a group G that admits a symmetry. This function f is constant on left cosets of some subgroup H and differs on different left cosets of this subgroup H. Considering a function that has the same properties but for right cosets does not change anything. The goal is to determine where this symmetry lies, or in other words to determine H.

The function f in the hidden subgroup problem contains enough information for us to uniquely determine the hidden subgroup H. Any subgroup H of G partitions G in left cosets. Likewise, our function f partitions G in level-sets. Using the given correspondence between level-sets and cosets we can uniquely determine H.

We do not yet have a classical algorithm that efficiently solves the hidden subgroup problem. We say that an algorithm is efficient if it runs in an amount of operations polynomial in log |G|. On a quantum computer we have a firmer grip on the hidden subgroup problem, here it turns out that the difficulty of the problem depends heavily on how far the group G is removed from being abelian. In abelian groups we have an efficient algorithm that solves the hidden subgroup problem. This algorithm gives rise to an efficient algorithm for the discrete logarithm problem. Since the discrete logarithm is thought to be infeasible on classical computers, it is used as the foundation for some cryptosystems which would be broken with the comming of quantum computers.

The algorithms throughout this thesis are build such that the run-time of the algorithm increases in |G|, whereas the probability of the output being incorrect decreases in |G|. This tradeoff works well for the problems we discuss since we can efficiently check if a solution is correct. If |G| is small then it is more likely that the output of the algorithm is incorrect. However in this case, the run-time of our algorithm is so small that it does not matter if we have to repeat it a couple of times. If |G| is large then the algorithm takes quite a while to run. In this case we would like the output to be correct as quickly as possible.

This thesis will discuss [4] in which a natural generalization of the algorithm for abelian groups to a possible algorithm for non-abelian groups is researched. An instance of the hidden subgroup in a non-abelian group is the graph isomorphism problem. The graph isomorphism problem is an interesting problem from a computational complexity point of view. It is know that it is in NP but not if it is in P nor if it belongs to NP-complete. Unfortunately, the natural generalization from [4] as discussed in this thesis fails to

efficiently solve the graph isomorphism problem.

The natural generalization we discuss entails taking the Fourier transform over a non-abelian group. Fourier transforms over non-abelian groups are defined in terms of the irreducible complex representations of the group. There is no general method for computing the Fourier transform over an arbitrary group. However, there are efficient quantum circuits for computing the Fourier transforms over some groups of interest, for example the symmetric group Sn corresponding with the graph isomorphism problem.

Therefore, the generalization we discuss will be restricted to groups which can be la-beled using a reasonable amount of qubits and over which the Fourier transform can be computed efficiently.

Although we do not have a uniform algorithm that efficiently solves the hidden sub-group problem in arbitrary non-abelian sub-groups, there are classes of (almost abelian) groups in which we can efficiently solve the hidden subgroup problem. An example of such a class is the so-called extraspecial groups. The reason why we are able to solve the hidden subgroup problem in such classes of groups is that we can efficiently reduce it to an instance of the hidden subgroup problem in an abelian group as shown in [5].

2. The hidden subgroup problem

Many well-known quantum algorithms that acquire an exponential speedup over their fastest known classical counterpart are somehow based upon efficiently finding a sym-metry. A general problem which defines a broad framework for finding these symmetries can be expressed in terms of group theory. This general problem we call the hidden subgroup problem.

2.1. Problem statement

Formally we define the hidden subgroup problem as:

Problem (The hidden subgroup problem). Let G be a finite group, S a set and f : G → S an efficiently computable function for which there exists a subgroup H satisfying:

1. f is constant on the left cosets of H. 2. f is distinct on different left cosets of H.

The hidden subgroup problem is to find this subgroup H.

We will denote an instance of the hidden subgroup problem with group G and function f as: HSP(G, f ). In this case we say that f hides the hidden subgroup H in G.

The hidden subgroup problem HSP(G, f ) is well-defined for an appropriate function f and a finite group G. By this we mean that we can always uniquely determine the hidden subgroup under the given conditions. One can see this as follows. A subgroup partitions a group in left cosets. All of such partitions stem from a unique subgroup. Now equivalently our function f also partitions our group in level-sets f−1(g) where we know that each level-set corresponds uniquely to a left coset of the hidden subgroup. Because of this our function f contains enough information for us to uniquely determine the hidden subgroup.

We want to efficiently solve the hidden subgroup problem. A solution to the hidden subgroup problem would be a method that allows us to efficiently sample elements from the hidden subgroup. What do we mean by efficient? Using the formulation of the hidden subgroup problem one can see that the hidden subgroup can written as:

H = {g ∈ G | f (g) = f (e)}, e is the unit element of G.

A na¨ıve (classical) algorithm to determine H would be to determine f (g) for all elements of the group and then check if f (g) = f (e). This would take an amount of

operations polynomial in |G|. Now since in some instances the size of the group grows exponential with the input, we say that an algorithm is efficient if it takes an amount of operations polynomial in log |G|. For any algorithm to be efficient we require f to be efficiently computable.

2.2. Instances of the hidden subgroup problem

The hidden subgroup problem has instances in many fields of discrete mathematics. This section will give a brief introduction to two instances of the hidden subgroup problem to which we will apply the quantum computational methods from [4] in chapters 4 and 5.

2.2.1. The discrete logarithm

The discrete logarithm is the finite-group analogue of the ordinary logarithm that we know from analysis. More formally:

Definition 2.1. Let G = hai be a cyclic group of order r and b ∈ G. The discrete logarithm s = log_ab is the smallest integer solving the equation as= b.

Solutions to the equation as_{= b are unique modulo r. Now because we limit ourselfs}

to the group generated by a we know that the equation as = b must have a solution and thus that the discrete logarithm is well-defined. Using the above definition we can define the discrete logarithm problem.

Problem (The discrete logarithm problem). Let G = hai be a cyclic group of order r and b ∈ G. Find log_ab.

Note that in the definition of the discrete logarithm problem we require prior knowl-edge of the order of the element a. This requirement does not make the discrete loga-rithm problem quantum computationally harder, since there exists Shor’s algologa-rithm to efficiently find the order of a, see [1].

To formulate the discrete logarithm problem in terms of the hidden subgroup problem we consider the group Cr× Cr (the direct product of two cyclic groups of order r), the

set G (the finite group in which we want to solve the discrete logarithm problem) and the function fa,b: Cr× Cr → G defined by fa,b(g1, g2) = bg1ag2. We note that fa,b admits

a symmetry, namely for any g1, g2, l ∈ Cr we have:

fa,b(g1+ l, g2− ls) = bg1+lag2−ls = as(g1+l)+g2−ls= asg1+g2 = bg1ag2 = fa,b(g1, g2).

In terms of the hidden subgroup we note that fa,b hides the hidden subgroup H given

by:

H = {(l, −ls) | l ∈ Cr}. (2.1)

To show that the discrete logarithm problem is reducible to HSP(Cr×Cr, fa,b), suppose

algorithm that can efficiently determine the subgroup H given by 2.1. Now if we sample an element (l, −ls) from our hidden subgroup such that l and r are coprime, then we can efficiently determine the multiplicative inverse l−1 modulo r using the extended Euclidean algorithm and thus solve the discrete logarithm problem by determining s = l−1ls. The amount of times we have to sample elements of H in order for this to happen turns out to be polynomial in log |G|. This shows that given a solution to HSP(Cr× Cr, f ), we can efficiently solve the discrete logarithm problem.

Proposition 2.2. If we sample 2 log |G| times from H we will observe, with high prob-ability, an element (l, −ls) such that l and r are coprime.

Proof. Let φ(r) denote the Euler totient function, i.e. the number of integers smaller than r that are coprime with r. By Problem 4.1 in [1] we have that:

φ(r) > r 2 log r.

Using this we get that for any n < r the probability of n being coprime with r equals:

P [gcd(n, r) = 1] = φ(r) r > 1 2 log r > 1 2 log |G|.

Thus sampling 2 log |G| times will result in observing, with high probability, an element (l, −ls) such that l and r are coprime.

2.2.2. Graph isomorphisms of rigid graphs

A graph isomorphism is a map between the vertices of two graphs such that it preserves adjacency. More formally:

Definition 2.3. Let G1 = (V1, E1) and G2 = (V2, E2) be two graphs. A map f : V1 → V2

is called an isomorphism if it is a bijection that preserves adjacency, i.e. if (v, w) ∈ E1

then (f (v), f (w)) ∈ E2.

Two graphs G1 and G2 are called isomorphic if there exists an isomorphism between

them, we denote this with G1 ∼= G2. An example of two isomorphic graphs can be found

in figure 2.1. Using this definition we state the graph isomorphism problem:

Problem (The graph isomorphism problem). Let G1 and G2 be two graphs. Determine

if G1 and G2 are isomorphic.

The graph isomorphism problem is an interesting problem in the world of complexity theory. It is one of the few problems which is in NP but is not known to be in either P or NP-complete. What makes this so interesting is that if P6=NP then there exists problems which are of intermediate status. It is suspected that the graph isomorphism problem may very well be one of these intermediate problems.

To formulate the graph isomorphism problem in terms of the hidden subgroup problem we have to introduce a group.

Figure 2.1.: Two isomorphic graphs

Definition 2.4. Let G be a graph with n vertices. The automorphism group, Aut(G), is the group of all isomorphisms from G onto itself. It can be viewed as a subgroup of Sn, the permutation group on n elements.

We also need the definition of the disjoint union of two graphs.

Definition 2.5. Let G1 = (V1, E1) and G2 = (V2, E2) be two graphs. The disjoint union

G = G1t G2 is defined by G = (V1t V2, E1t E2).

So, by taking the disjoint union of two graphs we place both graphs next to each other and consider it as one graphs.

To link this automorphism group to the graph isomorphism problem we use a lemma from [7].

Lemma 2.6. Let G1 = (V1, E1), G2 = (V2, E2) be two connected graphs with n vertices,

and let G = G1 t G2 be their disjoint union. Then G1 and G2 are isomorphic if and

only if there exist g1 ∈ V1, g2 ∈ V2 and σ ∈ Aut(G) such that σ(g1) = g2.

Proof. =⇒ : Suppose G1 and G2 are isomorphic and let f be an isomorphism between

G1 and G2. We can now define an element σ ∈ Aut(G) that satisfies the necessary

property by: σ(g) = ( f (g) if g ∈ E1 f−1(g) if g ∈ E2 .

⇐= : Suppose there exists an element σ ∈ Aut(G) such that there exist g1 ∈ G1 and

g2 ∈ G2with σ(g1) = g2. Under a graph isomorphism connected components are mapped

to connected components. Since G1 and G2 are the only connected compontents of G

we have that σ maps G1 to G2. By this we have that σ|G1 is an isomorphism between

G1 and G2.

From now on we will only consider the graph isomorphism problem for rigid graphs. Definition 2.7. A graph G is called rigid if Aut(G) = {e}.

Lemma 2.8. Let G = G1 t G2, where G1 and G2 are disjoint, connected and rigid

graphs and let n denote the number of vertices of G. Then 1. if G1 6∼= G2, then Aut(G) = {e}, and

2. if G1 ∼= G2, then Aut(G) = {e, σ}, where σ is a permutation consisting of n/2

disjoint 2-cycles.

Proof. 1. Suppose G1 6∼= G2. Then by lemma 2.6 any element of Aut(G) must be of

the form σ1t σ2, where σ1 ∈ Aut(G1) and σ2 ∈ Aut(G2). But since both G1 and

G2 are rigid, Aut(G) = {e}.

2. Suppose G1 ∼= G2. Then by lemma 2.6 there must exist an element σ of Aut(G)

that maps G1 to G2 and vice versa. We can view this element as an element of Sn

as follows:

σ = Y

v1∈V1

(v1, f (v1)),

where f is an isomorphism between G1 and G2. Now suppose there exists another

non-trivial element τ ∈ Aut(G). Because the automorphism groups of G1 and G2

are trivial, this τ must map G1 to G2 and vice versa. Now consider the product

στ , it maps G1 to G1 and G2 to G2. Again since both automorphism groups are

trivial we get that:

στ = e ⇐⇒ τ = σ−1 = σ.

Suppose we want to determine whether two graphs G1 and G2 are isomorphic. In

terms of the hidden subgroup problem we consider the group Sn, the set G of all graphs

and the function f : Sn → G defined by f(σ) = σ(G), where G = G1 t G2. We note

that f admits a symmetry, namely for any σ ∈ Aut(G) and π ∈ Sn:

f (πσ) = π(σ(G)) = π(G) = f (π).

In other words, f hides Aut(G) in Sn. So if we could efficiently determine Aut(G)

using an efficient solution to HSP(Sn, f ), we can determine whether G1 and G2 are

isomorphic by applying lemma 2.8. This shows that the graph isomorphism problem for rigid graphs is reducible to HSP(Sn, f ), an instance of the hidden subgroup problem.

3. Quantum approach to the hidden

subgroup problem

In this chapter we will approach the hidden subgroup problem from a quantum com-putational perspective. We discuss the approach taken in [4]. This approach entails attempting to generalize the already existing efficient algorithm that solves the hidden subgroup problem in abelian groups. Throughout this chapter we will use quantum com-puting, representation theory and the Fourier transform. The neccessary preliminaries can be found in appendices A, B and C respectively.

3.1. A quantum experiment

For the hidden subgroup problem in abelian groups there already exists an efficient quantum algorithm. This algorithm is based on a quantum experiment. We will discuss a generalization of this experiment as given in [4] and discuss its derived properties. Experiment 3.1 (Experiment for HSP(G, f )).

1. Prepare the state P

g∈G|g, f (g)i.

2. Measure the second register, this will result in the state: P

h∈H|ch, f (ch)i, where

c is some element of G selected uniformly at random.

3. Discard the second register and compute the Fourier-transform of the state from step 2: X ρ∈Irr(G) dim Vρ X i,j s dim Vρ |G||H| X h∈H ρ(ch) ! i,j |ρ, i, ji .

4. Measure the first register and observe an irreducible representation ρ.

A quick thing to notice about this experiment is that in our final step we only measure the first register. This thesis discusses what information regarding the hidden subgroup we can obtain by doing so as in [4]. In section 3.1.1 we will see that, by only measuring the first register, we are guaranteed that the outcome of the experiment is independent of the random c from step 2. This independence is key, repetitions of this experiment result in the same distribution over the irreducibles of the group.

3.1.1. Probability distribution

We want to find out when experiment 3.1 gives enough information for us to efficiently determine the hidden subgroup. Our analysis of experiment 3.1 is based upon its (the-oretical) distribution as derived in [4].

Theorem 3.1 (Distribution of the outcomes of experiment 3.1). For every subgroup H of G, the probability PH(ρ) of observing ρ in the experiment for the HSP, with hidden

subgroup H, is given by: PH(ρ) =

|H|

|G| dim Vρhχρ|χtriviH = |H|

|G|dim VρhχIndGHρtriv|χρiG

We will now, using a couple of lemmas, prove theorem 3.1. The proofs we discuss are given by [4]. For any superposition, the probability of observing a state is the sum of the squares of the absolute values of its coefficients. In our case this leads to:

PH(ρ) = X 0≤i,j≤dim(Vρ) | s dim(Vρ) |G||H| X h∈H ρ(ch) ! ij |2 = dim(Vρ) |G||H| X 0≤i,j≤dim(Vρ) | X h∈H ρ(ch) ! ij |2 = dim(Vρ) |G||H|           X h∈H ρ(ch)           2 2 = dim(Vρ) |G||H|           X h∈H ρ(c)ρ(h)           2 2 = dim(Vρ) |G||H| ||ρ(c)|| 2 2           X h∈H ρ(h)           2 2 = dim(Vρ) |G||H|           X h∈H ρ(h)           2 2 , (3.1)

where we used that ρ(c) is unitary and ||A||2 is the natural norm given by: ||A||22 =

trA∗A = P

i,j|Ai,j|

2_{. Now to further simplify expression 3.1 we have the following}

lemma.

Lemma 3.2. Let ρ ∈ Irr(G) and suppose it decomposes into irreducibles over H as: ResHρ = σ1⊕ · · · ⊕ σk, where σi ∈ Irr(H). Then in an appropriate basis:

X h∈H ρ(h) =      P h∈Hσ1(h) 0 · · · 0 0 P h∈Hσ2(h) · · · 0 .. . ... . .. ... 0 0 · · · P h∈Hσk(h)      . (3.2)

Proof. Since we evaluate ρ only on H, we may instead consider ResHρ. Note that

ResHρ may not be irreducible over H. Now in an appropriate basis ρ(h) is comprised

of block matrices, each corresponding to a σi in the decomposition of ResHρ. From this

Now that we have acquired a simplified expresion for PH in terms of

P

h∈Hρ(h) and

have written P

h∈Hρ(h) as a block-matrix we are ready to prove theorem 3.1.

Proof of theorem 3.1. Suppose ρ decomposes into irreducibles over H as ResHρ = σ1⊕

· · · ⊕ σk. Equations 3.1 and 3.2 give us:

PH(ρ) = dim(Vρ) |G||H|           X h∈H ρ(h)           2 2 = dim(Vρ) |G||H| k X i=1           X h∈H σi(h)           2 2 = dim(Vρ) |G||H| k X i=1 |H|2_hχ σi|χtrivi 2 H = dim(Vρ) |G||H| |H| 2_hχ ρ|χtriviH = |H| |G| dim(Vρ)hχρ|χtriviH,

where the third equality follows from the orthogonality of matrix elements as in propo-sition A.17. Applying Frobenius reciprocity finishes the proof.

A less cumbersome but more technical way to prove lemma 3.1 is to define P =

1 |H|

P

h∈Hρ(h) ∈ End(Vρ), the orthogonal projector onto the space of H-invariants, and

note that P is a self-adjoint idempotent operator. Applying this to 3.1 we get:

PH(ρ) = dim(Vρ) |G||H|           X h∈H ρ(h)           2 2 = dim(Vρ) |G||H| |||H|P || 2 2 = dim(Vρ) |G||H| |H| 2_tr(P∗ P ) = |H| |G|dim(Vρ)tr(P 2_{) =} |H| |G|dim(Vρ)tr(P ) = |H| |G|dim(Vρ) X h∈H tr(ρ(h)) = |H| |G|dim(Vρ) X h∈H χρ(h) = |H| |G|dim(Vρ)hχρ|χtriviH

How can we apply experiment 3.1 to efficiently solve the hidden subgroup problem? One could start by repeating the experiment a certain number of times to approximate its distribution. One could then compare this approximation with the (theoretical) distributions, as in theorem 3.1, for different hidden subgroups and decide which hidden subgroup fits best. Although this might work in some cases, it does not work in general. Corollary 3.3. Experiment 3.1 does not distinguish between conjugate subgroups.

Proof. Follows directly from the fact that χρ and χρtriv are class-functions.

This corollary tells us that even if we got a perfect approxiomation of the distribution of experiment 3.1, we are not be able to distinguish between possible conjugate hidden subgroups. We are only able to possibly distinguish hidden subgroups that are not conjugate. A class of such hidden subgroups are hidden subgroups with different normal cores.

3.2. Constructing the normal core of the hidden

subgroup

Since our experiment 3.1 does not distinguish between conjugate subgroups, see 3.3, one could only hope to be able to determine the part of the subgroup that is invariant under conjugation. We call this part of the subgroup its normal core and in this section we discuss an algorithm from [4] that determines the normal core of the hidden subgroup using O(log |G|) queries of experiment 3.1. We assume that we can efficiently compute the intersection of a O(log |G|) sized family of kernels.

Definition 3.4. Let H be a subgroup of G. The normal core HG of H in G is the largest subgroup of H that is normal in G.

The normal core is well-defined. Suppose there are two different largest subgroups of H that are normal in G, say N1 and N2. Then their product N = N1N2 is a subgroup

of H that is normal in G and contains both N1 and N2.

In this section we will discuss the following algorithm from [4] and prove that it constructs the normal core of any hidden subgroup using O(log |G|) queries of experi-ment 3.1. The proofs discussed in this section are given by [4].

Algorithm 3.1 (Algorithm that outputs the normal core HG _{of the hidden subgroup}

H).

1. For i = 1, . . . , s = 4 log₂|G|, run experiment 3.1 and observe an irreducible repre-sentation σi ∈ Irr(G).

2. Let Ni = ∩ij=1ker(σj).

3. Output N = Ns.

When H is normal in G, HG = H, so that this algorithm would determine the H with high probability. Also note that in an abelian group any subgroup is normal.

3.2.1. Proof of correctness

We will discuss the proofs from [4] which shows that the procedure in algorithm 3.1 converges, with high probability, to the normal core of the hidden subgroup.

Theorem 3.5. Algorithm 3.1 returns HG _{with probability at least 1 − 2e}− log₂|G|/8

We reduce the proof of theorem 3.5 to two lemmas. The proofs of these two lemmas are mainly based upon the principle of induced representations. For background on the theory used we refer to appendix A.

Lemma 3.6. If the irreducible representation ρ can be sampled by experiment 3.1 (i.e. it has non-zero probability), then HG _{⊂ ker(ρ).}

Proof. We begin with a recollection of the induced representation IndG_Hρtriv. Let ρ be a

representation of a subgroup H of G. Formally the induced representation of ρ is defined as the representation over the vector space:

IndG_HVρ= {f : G → Vρ: f (hx) = ρ(h)f (x), ∀x ∈ G, h ∈ H},

with the action: ρ(g)(f )(x) = f (xg), ∀g ∈ G. In example A.23 we saw that, in the case of ρ being the trivial representation, the induced representation IndG_Hρtriv can also be

de-fined as some sort of ’coset-permutation’ representation. Namely, let G/H = {g1, . . . , gk}

be a full system of representatives for the left-cosets of H. Then the induced representa-tion IndG_Hρtrivcan be defined as the complex vector-space with basis: {[g1H], . . . , [gkH]},

with the action:

IndG_Hρtriv(x)([gH]) = [xgH].

Using this description of IndG_Hρtriv, we can derive an identity that links the normal

core of the hidden subgroup to representations of G:

ker(IndG_Hρtriv) = HG (3.3)

First we prove the forward inclusion ker(IndG_Hρtriv) ⊆ HG. Suppose x ∈ ker(IndGHρtriv),

i.e. ker(IndG_Hρtriv)(x) equals the identity map. This means that for any g ∈ G:

IndG_Hρtriv(x)([gH]) = [xgH] = [gH].

In other words, xgH = gH for all g ∈ G. In particular, for g = e, we have xH = H, which implies that x ∈ H. So, ker(IndG_Hρtriv) ⊆ H. Now since the kernel of a

representation is normal we must have that ker(IndG_Hρtriv) ⊆ HG.

For the reverse inclusion HG _{⊆ ker(Ind}G

Hρtriv), suppose x ∈ HG. Since HG is normal

we have that for any g ∈ G there is some x0 ∈ HG _{such that xg = x}0_{g. Now consider}

the map IndG_Hρtriv(x) : gH 7→ xgH = gx0H = gH. So IndGHρtriv(x) equals the identity

Suppose ρ has a non-zero probability of being measured in experiment 3.1. We then have: hχ_IndG

Hρtriv|χρiG 6= 0. In other words, ρ is contained in the decomposition of

IndG_Hρtriv. Together with 3.3 this implies that:

HG = ker(IndG_Hρtriv) ⊆ ker(ρ).

Now that we have established that the normal core is included in the σi’s we want

to know if, by taking the intersection, Ns indeed converges to HG using only O(log |G|)

queries of experiment 3.1.

Lemma 3.7. For any subgroup H of G, if Ni 6⊆ H, then:

P[Ni+1= Ni] ≤

1 2.

Proof. Suppose we obtain Ni+1 by observing σ from experiment 3.1, i.e. Ni+1 = Ni∩

ker(σ). Then we have:

Ni = Ni+1 ⇐⇒ Ni ⊆ ker(σ).

This shows that the probability that Ni+1 equals Ni is the same as the probability

that Ni is contained in the kernel of σ. Let PH denote the distribution of experiment 3.1

when H is the hidden subgroup. We now have: P[Ni+1 = Ni] = P[Ni ⊆ ker(σ)] = X ρ∈Irr(G), Ni⊆ker(ρ) PH(ρ) = |H| |G| X ρ∈Irr(G), Ni⊆ker(ρ) dim(Vρ)hχρ|χρtriviH. (3.4)

To simplify this expression we decompose IndG_Nρtriv =

L

ρ∈Irr(G)nρρ. Suppose N 6⊆

ker(ρ). By lemma 3.6:

N = NG = ker(IndG_Nρtriv) 6⊆ ker(ρ),

which implies that nρ= 0. Now suppose that N ⊆ ker(ρ). By Frobenius reciprocity:

nρ= hχIndG Nρtriv|χρiG = hχρtriv|χρiN = 1 |N | X n∈N χρ(n) = 1 |N | X n∈N Tr(I) = 1 |N | X n∈N dim(Vρ) = dim(Vρ).

This results in the decomposition: IndG_Nρtriv = M ρ∈Irr(G), N ⊆ker(ρ) dim(Vρ)ρ (3.5)

We already know that, by Frobenius reciprocity: IndG_Hρtriv = M ρ∈Irr(G) ρhχ_IndG Hρtriv|χρiG= M ρ∈Irr(G) ρhχρ|χρtriviH (3.6)

To get back to expression 3.4 we combine 3.5 and 3.6 to get: hχ_IndG

Hρtriv|χIndGNρtriviG= h

X ρ∈Irr(G) hχρ|χρtriviHχρ | X ρ∈Irr(G) N ⊆ker(ρ) dim(Vρ)χρ iG = X ρ∈Irr(G) N ⊆ker(ρ) dim(Vρ)hχρ|χρtriviHhχρ|χρiG = X ρ∈Irr(G) Ni⊆ker(ρ) dim(Vρ)hχρ|χρtriviH

So to further simplify equation 3.4 we want to find an alternate way of writing hχ_IndG

Hρtriv|χIndGNρtriviG. Applying Frobenius reciprocity and decomposing the restricted

induction, see section A.3.3, we get: hχ_IndG

Hρtriv|χIndGNρtriviG = hχρtriv|χResG_HIndG_NρtriviH =

M

g∈H\G/N

hχρtriv|χIndH_NgρtriviH, (3.7)

where Ng = H ∩ gN g−1 = H ∩ N , and g runs through a full system of representatives

for the double cosets H\G/N . If we again apply Frobenius reciprocity, now to the right-hand side of equation 3.7, we get:

hχ_IndG

Hρtriv|χIndGNρtriviG =

M

g∈H\G/N

hχρtriv|χIndH_NgρtriviH

= M

g∈H\G/N

hχρtriv|χρtriviNg

= |H\G/N | (3.8)

Since N is normal in G we have that for any double coset: HgN = HN g. So a system of representatives of the double cosets H\G/N equals a system of representatives for the right-cosets of the subgroup HN . Applying this to equation 3.8 we get:

hχ_IndG

Hρtriv|χIndGNρtriviG = |H\G/N | = |G/HN | =

|G|

Now to finalize the proof we implement 3.9 into 3.4 to get:

P[Ni+1= Ni] =

|H|

|G|hχIndGHρtriv|χIndGNρtriviG =

|H| |G| |G| |HN | = |H| |HN | ≤ 1 2, if N 6⊆ H.

Using lemma 3.6 and 3.7 we can rephrase the current situation as follows. Each time we run experiment 3.1, when we have yet to find the normal core, we toss a (biased) coin and when this coin lands head our Ni converges closer to HG. In fact, this new

Ni+1must be of order smaller than half the order of Ni. A simple group-theoretical fact

tells us how many times our coin has to land heads-up.

Proposition 3.8. Any chain of subgroups H1 ( H2 ( · · · ( Hk of a group G can be no

longer than log₂|G|, i.e. k ≤ log₂|G|.

Proof. Suppose k > log₂|G|. For any i ∈ {1, . . . , k} we have that |Hi|

 |Hi+1| which

implies that |Hi+1| ≥ 2|Hi|. If we extend this inductively we get:

|Hk| ≥ 2k|H1| > |G||H1| ≥ |G|.

This contradicts that Hk is a subgroup of G.

Using proposition 3.8 our goal is to prove that if we repeat experiment 3.1 s = 4 log₂|G| times we have that, with high probability, the coin we tossed has landed heads up at least log₂|G| times. To help us prove this we need a special case of the so-called Azuma’s inequality:

Proposition 3.9 (Special case of Azuma’s inequality). Let X1, . . . Xk be random

vari-ables that take values in {0, 1} such that P [Xi = 0|X1, . . . Xi−1] ≤ 1₂ then:

P [ k X i=1 Xi ≤ λ] ≤ 2e−λ 2_/2k .

After all this preperation we are now ready to prove theorem 3.5.

Proof of theorem 3.5. Let σ1, . . . , σkbe irreducible representations observed from

exper-iment 3.1 with k = 4 log₂|G|. Let Ni be as in algorithm 3.1 and define the indicator

random variables X1, . . . Xk as:

Xi =

(

1 if Ni ⊂ H or Ni+1 6= Ni,

0 otherwise.

For these indicator random variables we note that lemma 3.7 implies that:

P [Xi = 0|X1, . . . Xi−1] ≤

1 2

Now by the special case of Azuma’s inequality 3.9 with λ = log₂|G| we have that: P [ k X i=1 Xi ≤ log2|G|] ≤ 2e − log₂|G|/8 .

So with probability at least 1−2e− log2|G|/8_{we have that at least log}

2|G| of the indicator

random variables Xi equal 1.

Now since a chain of subgroups of a group G can never be longer than log₂|G|, by proposition 3.8, we have that Nk ⊂ H. Since Nk is normal in G we have that Nk ⊂ HG.

4. Application: the discrete

logarithm problem

In this section we apply the theory developed in chapter 3 to the discrete logarithm problem. Recall the discrete logarithm problem.

Problem (The discrete logarithm problem). Let G = hai be a cyclic group of order r and b ∈ G. Find the smallest s ∈ N that solves the equation: as _{= b.}

In section 2.2.1 we have seen that the discrete logarithm problem reduces to HSP(Cr×

Cr, f ), an instance of the hidden subgroup problem, where the function f is defined by

f (x1, x2) = bx1ax2 and we have the hidden subgroup:

H = {(l, −ls) | l ∈ Cr}.

In order to make experiment 3.1 more explicit we first have to determine the irre-ducibles of Cr× Cr.

Proposition 4.1. The irreducibles of Cr× Cr are given by:

Irr(Cr× Cr) = {ρj,k(x, y) = e2πi(jx+ky)/r | j, k = 0, . . . , r − 1}.

Proof. In section C.1 we have shown that the irreducibles of a cyclic group are: Irr(Cr) = {ρj(x) = e2πijx/r | j = 0, . . . , r − 1}.

Furthermore, we have seen in section A.3.1 that the irreducibles of a direct product of groups are the tensor products of the irreducibles of the respective groups. In our case this implies:

Irr(Cr× Cr) = {ρ ⊗ σ | ρ, σ ∈ Irr(Cr)}

= {ρj,k(x, y) = e2πi(jx+ky)/r | j, k = 0, . . . , r − 1}.

Using proposition 4.1 we rewrite experiment 3.1 into a more explicit form for our instance of the hidden subgroup problem. Instead of writing |ρj,ki we write |(j, k)i,

Experiment 4.1 (Experiment for the HSP(Cr× Cr, f )).

1. Prepare the state P

g∈G|g, f (g)i.

2. Measure the second register, this will result in the state: P

h∈H|ch, f (ch)i, where

c is some element of G selected uniformly at random.

3. Discard the second register and compute the Fourier-transform of the state from step 2: X (j,k)∈Cr×Cr r 1 r3 X (l,−ls)∈H e2πi(j−ks)cl/r|(j, k)i .

4. Measure the register and observe the label |(j, k)i of an irreducible representation.

4.1. Determining probability distribution

Now to solve the current instance of the hidden subgroup problem we want to run experiment 4.1 in an attempt to get information regarding the hidden subgroup. The possible outcomes of experiment 4.1 are distributed as follows.

Proposition 4.2. Let PH be the distribution of experiment 4.1 where H is the hidden

subgroup, then: PH(|(j, k)i) = ( 1 r if j ≡ ks(mod r), 0 otherwise.

Proof. Theorem 3.1 gives us two ways to compute the distribution of experiment 4.1. First we will explicitly compute the distribution using the restricted representation.

PH(|(j, k)i) = |H| |Cr× Cr| hχρj,k|χρtriviH = 1 r 1 |H| X h∈H χρj,k(h) ! = 1 r2 X l∈Cr χρj,k(l, −ls) = 1 r2 X l∈Cr e2πi(jl−kls)/r = 1 r2 X l∈Cr e2πil(j−ks)/r = ( 1 r if j ≡ ks(mod r), 0 otherwise.

Another way to compute the distribution is by determining the character of the in-duced trivial representation. Consider the system of representatives for the right cosets of H given by:

G/H = {(0, k) | k ∈ Cr}.

The induced representation IndG_Hρtriv is given by the complex vector space with basis

{[(0, k) + H] | k ∈ Cr} upon which we have the action:

IndG_Hρtriv((x, y)) : [(0, k) + H] 7→ [(x, y + k) + H] = [(0, y + xs + k) + H]. (4.1)

Since IndG_Hρtriv is a permutation representation its character equals the number of its

fixed points. If we look at 4.1 we see that any left coset [(0, k) + H] is a fixed points of (x, y) ∈ Cr if and only if y ≡ −xs(mod )r. This implies:

χ_IndG

Hρtriv(x, y) =

(

r if y ≡ −xs(mod r), 0 otherwise.

If we apply this to theorem 3.1 we get:

PH(|(j, k)i) = |H| |G|hχIndGHρtriv|χρiG = 1 r 1 |Cr× Cr| X g∈Cr×Cr χ_IndG Hρtriv(g)χρj,k(g) ! = 1 r3 X l∈Cr rχρj,k(l, −ls) = 1 r2 X l∈Cr e−2πi(jl−kls)/r = 1 r2 X l∈Cr e−2πil(j−ks)/r = ( 1 r if j ≡ ks(mod r), 0 otherwise.

4.2. Finding the discrete logarithm

Proposition 4.2 tells us that the outcome of experiment 4.1 is uniformly distributed over the set {(ks, k) | k ∈ Cr}. How can we use this to find the discrete logarithm s?

Algorithm 4.1 (Algorithm to find the discrete logarithm). 1. Run experiment 4.1 and measure (k, ks), where k ∈ Cr.

2. Use the Euclidean algorithm to check if gcd(k, r) = 1. a) If not: go back to step 1.

b) Else: apply the extended Euclidean algorithm to determine the multiplicative inverse k−1 modulo r and go to step 3.

3. Return s ≡ k−1· ks(mod r).

Proposition 4.3. Algorithm 4.1 returns, with high probability, the discrete logarithm s using O(log r) runs of experiment 4.1.

Proof. The amount of times algorithm 4.1 has to run experiment 4.1 fully depends on the probability that the measured k is coprime with r. Proposition 2.2 shows that the probability that a uniform random k smaller than r is comprime with r is given by:

P[gcd(k, r) = 1] = φ(r) r ≥

1 2 log r.

Using the above expression and some elementary probability theory we conclude that, with high probability, running experiment 4.1 2 log |G| times would result in a k that is coprime with r and would thus result in algorithm 4.1 returning the discrete logarithm.

4.3. Diffie-Hellman key exchange

Since the discrete logarithm problem is considered unfeasible on classical computers, some cryptography schemes are based upon its hardness. In symmetric-key crypthog-raphy two parties exhanges message which are encrypted and decrypted using a secret shared key. A problem that comes with this is the exchange of the shared key. How can we make sure we securely exchange this shared-key? In 1976 Whitfield Diffie and Martin Hellman published a scheme to securely exchange a shared-key to be used in symmetric-key cryptosystems which is based upon the hardness of the discrete logarithm.

Scheme 4.1 (Diffie-Hellman key exchange). Suppose Alice and Bob want to securely exchange a shared-key. To do so they take the following steps:

1. They agree upon and publish a (large) prime number p and a primitive root modulo p say g.

2. Alice, in secret, chooses a random 0 ≤ a ≤ p − 1 and Bob, also in secret, chooses a random 0 ≤ b ≤ p − 1.

3. Alice publishes A = ga_{(mod) p and Bob publishes B = g}b_{(mod) p.}

4. Alice computes k = Ba(mod) p and Bob computes k = Ab(mod) p.

After this scheme Alice and Bob share a key k = gab_{. Suppose Eve wants to try and}

find out this key k. The only information Eve has is the information that has been published: p, g, A and B. For Eve to find k she could solve the equations: A = ga for

a and B = gb for b. This would require Eve to have an efficient solution to the discrete logarithm problem.

Since there is no known efficient solution to the discrete logarithm problem on classical computers, the Diffie-Hellman key exchange is considered safe. However, algorithm 4.1 shows that there exists an efficient quantum algorithm to solve the discrete logarithm problem. The Diffie-Hellman key-exchange does not remain safe with the coming of quantum computers.

5. Application: the Graph

isomorphism problem for rigid

graphs

Section 2.2.2 shows that the graph isomorphism problem for rigid graphs with n vertices reduces to HSP(S2n, f ). In this chapter we will apply the theory from chapter 3 to this

instance of the hidden subgroup problem. We will discuss a section of [4] which shows that by only using experiment 3.1 we will not be able to decide whether two graphs are isomorphic or not.

5.1. Distinguishing possible hidden subgroups

In the reduction of the graph isomorphism problem for rigid graphs of n vertices to HSP(S2n, f ) we proved the following lemma.

Lemma 5.1. Let G = G1 ∪ G2, where G1 and G2 are disjoint, connected and rigid

graphs and let n denote the number of vertices of G. Then 1. if G1 6∼= G2, then Aut(G) = {e}, and

2. if G1 ∼= G2, then Aut(G) = {e, σ}, where σ ∈ Sn is a permutation of n/2 disjoint

2-cycles.

In order to decide whether two rigid graphs are isomorphic we run experiment 3.1 and decide which hidden subgroup matches the distribution best. However, unfortunately we are unable to do so.

Theorem 5.2. Let G1 and G2 be two connected and rigid graphs with n vertices. Let

PHnot(ρ) be the probability of sampling ρ in experiment 3.1 when G1 6∼= G2, and let

PHiso(ρ) be the same probability when G1 ∼= G2. Then ||PHnot − PHiso||1 ≤ 2

−Ω(n)_.

Proof. By lemma 5.1, when G1 6∼= G2 we have Hnot = {e}. Now by theorem 3.1:

PHnot(ρ) = |{e}| |Sn| dim(Vρ)hχρ|χρtriviH = 1 n!dim(Vρ)χρ(e) = (dim(Vρ))2 n! . (5.1) Again by lemma 5.1, when G1 ∼= G2 we have Hiso = {e, σ}, where σ is the product of

n/2 disjoint 2-cycles. By theorem 3.1: PHiso(ρ) = |{e, σ}| |Sn| dim(Vρ)hχρ|χρtriviH = dim(Vρ) n! (dim(Vρ) + χρ(σ)). (5.2)

Combining equation 5.1 and 5.2 we get: ||PI− PN||1 = X ρ |PI(ρ) − PN(ρ)| = 1 n! X ρ dim(Vρ)|χρ(σ)| (5.3) ≤ 1 n! s X ρ dim(Vρ)2 s X ρ |χρ(σ)|2 (5.4) = 1 n! √ n! s X ρ |χρ(σ)|2 (5.5) = √1 n! s X ρ |χρ(σ)|2, (5.6)

where, to get from 5.3 to 5.4 we applied the Cauchy-Schwarz inequality and to get from 5.4 to 5.5 we applied the sum of the squares rule. The sum of squares rule states that |G| = P

ρ∈Irr(G)(dim(Vρ))2, and follows directly from Maschke’s theorem as in

ap-pendix C.

We want to apply the orthogonality of the second kind of the characters. Orthogonality of the second kind states that P

ρ|χρ(σ)|2 = |G|

|C(σ)|, where C(σ) denotes the conjugacy

class of σ. A brief description and proof can be found in section A.2.4. To apply this we need to compute the size of the conjugacy class of σ. We know from elementary group-theory that the conjugacy class of σ consists of all permutations of the same cycle type as σ. To compute the size of the conjugacy class we have the formula

|C(σ)| = n! Πmmimim!

,

where im denotes the amount of times m occurs in the cycle type of σ. In our case we

have that σ consists of n/2 cycles of length 2. So we have that: |C(σ)| = n!

2n/2 n 2
!

. (5.7)

We implement orthogonality of the second kind into equation 5.6 to get:

||PI− PN||1 ≤ 1 √ n! s X ρ |χρ(σ)|2 = 1 √ n! s n! |C(σ)| (5.8) = √1 n! r 2(n/2)n 2  ! = s 2n/2 n 2
! n! ≤ 2 −Ω(n) , (5.9)

Theorem 5.2 shows that the probability distributions of experiment 3.1 are nearly equal for the cases G1 ∼= G2 and G1 6∼= G2. One can compare this with being handed

weighted die with weights so close to each other that we would be unable to tell them apart. This shows that experiment 3.1 will fail to determine wether or not G1 and G2

6. The hidden subgroup problem in

extraspecial groups

In chapter 3 we discussed a section of [4] which derives an algorithm that efficiently solves the hidden subgroup problem in abelian groups. Although we saw in chapter 5 that this algorithm does not work to efficiently solve the hidden subgroup problem in non-abelian groups, there are still classes of non-abelian group in which we can efficiently solve the hidden subgroup problem. An example of such a class of groups are the so-called extraspecial groups. This chapter will discuss [5], which shows that we can reduce an instance of the hidden subgroup problem in extraspecial groups to an instance of the hidden subgroup problem in an abelian group.

6.1. Extra special groups

To formally define extraspecial groups we need to define certain subgroups. Definition 6.1. Let G be a group. We have the following subgroups of G,

i) The center of G, defined as ZG = {g ∈ G | gh = hg, ∀h ∈ G}.

ii) The commutator subgroup of G, defined as [G, G] = h{xyx−1y−1 | x, y ∈ G}i. iii) The Frattini subgroup Φ(G), the intersection of all maximal subgroups. A

sub-group H ⊂ G is called maximal if there does not exist a subsub-group F such that H ( F ( G.

All of the subgroups in definition 6.1 are connected with how abelian G is. For exam-ple, the commutator subgroup is the smallest normal subgroup such that the quotient group of the original group by this subgroup is abelian. In other words, G/N is abelian if and only if N contains the commutator subgroup. One could measure how abelian a group is by saying: the larger the commutator subgroup is, the ”less abelian” the group is.

Definition 6.2. Let p be a prime number.

i) A p-group is a group of order pn_{, for some n ∈ N.}

ii) A p-group G is special if: Φ(G) = ZG = [G, G].

Although definition 6.2 might seem cumbersome, the characterization of all extraspe-cial groups is quite comprehensible. If G is an extraspeextraspe-cial p-group then |G| = p2k+1_for

some integer k. We begin by characterizing the smallest non-abelian extraspecial groups, the ones of order p3. It turns out that we can construct any non-abelian extraspecial group using only these smallest non-abelian extraspecial groups.

For p = 2, we have, up to isomorphism two extraspecial 2-groups of order 8. These are the quaternion group Q, and the dihedral group D4.

For p > 2, up to isomorphism, we have again two extraspecial p-groups of order p3_.

The first one is the Heisenberg group Hp, consisting of upper triangulair 3 × 3 matrices

over Fp with 10s on the diagonal. The other one is Ap, the group of maps t 7→ at + b

from Z/p2

Z to Z/p2Z, where a ≡ 1(mod p) and b ∈ Z/p2Z.

Using the above extraspecial p-groups of order p2_{, we can obtain any extraspecial}

p-group of order p2k+1 using a construction called the central product.

Definition 6.3. Let G1, . . . , Gk be extraspecial p-groups of order p3 then their central

product G1×Z . . . ×ZGk is the factor group

G1× · · · × Gk(mod)z,

where z is an arbitrary generator of ZGi for i = 1, . . . k.

Note that the definition of the central product does not depend on the choice of z, because all centers of extraspecial p-groups are isomorphic and of order p such that any element z is a generator of these isomorphic centers.

It turns out that any extraspecial p-groups of order p2k+1 _{can be obtained as the}

central product of k extraspecial p-groups of order p3_{. With some algebra we can show}

that D4×ZD4 ∼= Q ×ZQ. Because of this, up to isomorphism, the unique extraspecial

2-groups of order 22k+1 _{are ×}

Zki=1D4 and (×Zk−1i=1D4) ×ZQ. When p > 2, we can show that

Hp×Z Ap ∼= Ap×ZAp. Therefore, up to isomorphism the unique extraspecial p-groups

of order p2k+1 are ×Zki=1Hp and (×Zki=1HP) ×ZAp. We summarize the characterization

of extraspecial p-groups in table 6.1.

p = 2 p > 2

G ∼= ×Zki=1D4 or (×Zk−1i=1D4) ×ZQ G ∼= ×Zki=1Hp or (×Zki=1HP) ×ZAp

Table 6.1.: Characterization of extraspecial p-groups of order p2k+1

Another way of describing extraspecial p-groups is by giving a set of generators and defining relations. For the extraspecial p-groups of order p3 _{we will take three generators}

x, y and z, where z generates the center of the group, for which we have the following defining relations: Q = hx2 = x2 = [x, y] = z, z2 = 1i, D4 = hx2 = y2 = z2, [x, y] = z, [x, z] = [y, z] = 1i, Hp = hxp = yp = zp = 1, [x, y] = z, [x, z] = [y, z] = 1i, Ap = hxp 2 = yp = 1, [x, y] = z = xp, [y, z] = 1i.

Using these defining relations, it follows that any element in an extraspecial group of order p3 _{has a unique representation of the form x}i_yj_zk _{where i, j, k ∈ C}

p. Using the

central-product construction, it follows that any extraspecial p-group of order p2k+1 _can

be generated by 2k + 1 elements x1, y1, . . . , xk, yk, z, where any element of the group has

a unique representation of the form xi1

1y j1 1 . . . x ik ky jk k z l_{, with i} 1, j1, . . . , jk, ik, l ∈ Cp.

6.2. Quantum hiding procedure

In the standard algorithm from [4], as discussed in chapter 3, we required the existence of a black box to prepare the state _|G|1 P

g∈G|gi |f (g)i, where f was the function hiding

the hidden subgroup. The existence of this black box is essential, we needed it to create the superposition over a left coset of the hidden subgroup. In [5] instead of considering a black box, they consider so-called hiding sets.

Definition 6.4. Let H be a Hilbert space, we say that a set of vectors {|Ψgi | g ∈ G}

in H is a hiding set for the subgroup H in G if i) |Ψgi is a unit vector for every g ∈ G,

ii) if g and g0 are in the same left coset of H then |Ψgi = |Ψg0i,

iii) if g and g0 are in different left cosets of H than |Ψgi and |Ψg0i are orthogonal.

We say that a quantum procedure is hiding the hidden subgroup H ⊂ G if for every g ∈ G, on the input |gi |0i it outputs |gi |Ψgi where {|Ψgi |g ∈ G} is a hiding set for H.

In [6] it is shown that instead of considering a black box to prepare the state 1 |G|

P

g∈G|gi |f (g)i

we might aswell consider an efficient quantum hiding procedure.

Theorem 6.5. Let G be a finite abelian group. If there exists an efficient quantum procedure which hides the subgroup H of G, then there is an efficient quantum algorithm for finding H.

Proof. We alter the standard algorithm from chapter 3. In step 3 of experiment 3.1, instead of preparing the state _|G|1 P

g∈G|gi |f (g)i using the black box we prepare the

state _|G|1 P

g∈G|gi |Ψgi using the quantum hiding procedure. After measuring the second

register this will result in the same possible superpositions in step 2 by the definition of a quantum hiding set.

6.3. Reduction to hiding HZ

In this section we will discuss a section from [5] which reduces the hidden subgroup problem in an extraspecial group to an instance of the hidden subgroup problem in an abelian group. In short, this will show that if we can construct (using our hiding function f ) an efficient quantum procedure hiding HZG, then we can efficiently find our hidden

subgroup H. The idea behind this is that we can reduce finding HZG to an instance of

the hidden subgroup problem in an abelian group and that finding HZG is equivalent

to finding H. The reduction is given in theorem 6.9 which is proven using a series of lemmas given by [5].

Lemma 6.6. Let G be an extraspecial p-group, and let f hide the subgroup H in G. Then finding H is reducible to finding HZG.

Proof. Since G is an extraspecial p-group, we have that ZG is a cyclic group of prime

order. Because of this, we either have ZG ⊂ H or ZG∩ H = {1}. To distinguish between

these two cases you can check if f (z) = f (1).

Suppose ZG ⊂ H, then HZG = H and therefore, an algorithm that efficiently finds

HZG immediatly yields H.

Suppose ZG∩ H = {1}, then we claim that HZG is abelian. To show this, it suffices

to show that H is abelian. Let h1, h2 ∈ H, then there exists an l ∈ Cp such that

h1h2 = h2h1zl, since ZG = [G, G] = hzi. This implies that zl ∈ ZG∩ H = {1}, therefore

h1h2 = h2h1, which shows that H is indeed abelian. Now suppose we can efficiently

find HZG in this case, then the restriction of the hiding function f to HZG still hides

H. Since HZG is abelian we can efficiently find H using our standard algorithm from

chapter 3

We will show that finding HZG can be reduced to an instance of the hidden subgroup

problem in an abelian group G. Here the abelian group G is defined as G = G/[G, G]. Note that G is indeed abelian, since the commutator subgroup [G, G] is the smallest subgroup such that the quotient group G/[G, G] is abelian. We define for any element g = xi1 1y j1 1 . . . x ik ky jk k z l _{∈ G the element g = x}i1 1 y j1 1 . . . x ik ky jk

k ∈ G. Another way to define

G is as the group whose basis is {g | g ∈ G}, with the group operation defined by g1∗ g2 = g1g2. This way G can be viewed as a subset of G, note that G is not a subgroup

of G. This alternative definition allows us to define HZG∩ G, and as it turns out this

is a subgroup of G since HZG/[G, G] is a subgroup of G/[G, G].

Lemma 6.7. Let G be an extraspecial p-group, and let f hide the subgroup H in G. Then finding HZG is reducible to finding HZG∩ G in G.

Proof. Using the alternative definition of G and that ZG = [G, G] = hzi we see that:

HZG = H[G, G] = (H[G, G] ∩ G)[G, G] = (HZG∩ G)ZG. (6.1)

If we can efficiently find HZG∩ G we can also efficiently find a generating set X of

HZG∩ G. Now by equation 6.1, we can efficiently construct HZG by just adding z to

this generating set X.

Because G is abelian and we have a standard algorithm for efficiently solving the hidden subgroup problem in abelian groups, we would like to construct a quantum hiding procedure that hides HZG∩ G in G. As it turns out it is enough to construct a

Lemma 6.8. Let G be an extraspecial p-group, and let f hide the subgroup H in G. If we have an efficient quantum procedure that hides HZG in G than we can efficiently find

HZG∩ G in G.

Proof. If a procedure hides HZG in G, it also hides HZG∩ G in G. Now since G is

abelian, we have by theorem 6.5 that we can efficiently find HZG∩ G.

Now we combine these lemmas into the final reduction. The main goal of the rest of this chapter is to create an efficient quantum procedure (using f ) that hides HZG so

that we can apply this reduction.

Theorem 6.9. Let G be an extraspecial p-group, and let f hide the subgroup H in G. If we have an efficient quantum procedure g hiding HZG in G then HSP(G, f ) can be

solved efficiently. Proof.

Suppose g hides HZG in G (6.8)

=⇒ we can efficiently find HZG∩ G in G (6.7)

=⇒ we can efficiently find HZG in G (6.6)

=⇒ we can efficiently find H in G.

6.4. The algorithm

We have seen in section 6.3 that if we can construct (using f ) an efficient quantum procedure hiding HZG, then we can efficiently solve the hidden subgroup problem in

extraspecial groups. In this chapter we will discuss another section of [5] which derives an efficient quantum procedure hiding HZG. Since the order of any extraspecial group

is p2k+1, an efficient algorithm has to be polynomial in both k and log p. In [5] they distinguish three cases, in this thesis we present only one of the applied methods since it works for all cases.

For every u ∈ Cp, let |ZGui =

1 √ p

P

i∈Cpω

−ui_|zi_{i, where ω is a p-th root of unity. For}

our hiding procedure we want to efficiently create the superposition |aHZGui for certain

appropriate u ∈ Cp and random a ∈ G.

Lemma 6.10. There is an efficient quantum procedure which creates √1 p

P

u∈Cr|ui ⊗

|aHZGui.

Proof. Note that the Fourier transform over Cp can be done efficiently, see appendix C,

to make it efficient. The efficient procedure we require is as follows:

|0i |0i |0i−−−−−−−−−−−−−−−→Apply the hiding function f √1 G

X

g∈G

|0i |gi |f (g)i ,

Measure and discard the third register

−−−−−−−−−−−−−−−−−−−−−→ √1 H

X

h∈H

|0i |ahi = |0i ⊗ |aHi ,

Fourier transform over Cr on first register

−−−−−−−−−−−−−−−−−−−−−−−→ √1 p 1 √ H X h∈H X i∈Cp

|ii |ahi = |Cpi ⊗ |aHi , Multiply second register by z−i

−−−−−−−−−−−−−−−−−→ √1 p 1 √ H X h∈H X i∈Cp |−ii |ahzi_{i =} 1 √ p X i∈Cp

(|−ii ⊗ |aHzii),

Fourier transform over Cr on first register

−−−−−−−−−−−−−−−−−−−−−−−→ √1 p 1 √ p 1 √ H X h∈H X i∈Cp X u∈Cp

ω−iu|ui |ahzi_i

= √1 p

X

u∈Cr

|ui ⊗ |aHZGui .

To apply the states produced in lemma 6.10 we define automorphisms of our extraspe-cial group which will turn out to be essential in creating our efficient hiding procedure for HZG.

Definition 6.11 (Definition and Proposition). Let j = 1, . . . , p − 1, we define the automorphisms φj ∈ Aut(G) by: φj(xi) = xji, φj(yi) = yij and φj(z) = zj

2

.

Proof. To show that these φj can indeed be extended to automorphisms on G we will

check the defining relations. Suppose xi, yi and z satisfy the defining relations. It is

clear that because p is prime and j < p, the orders of xj_i, y_ij and zj2

are still either p or p2, whichever order they had before the automorphism. Also if z commutes with both xi and yi, then clearly zj

2

commutes with both xj_i and yj_i. Lastly we see that: [xj_i, yj_i] = xj_iyj_ix−j_i y−j_i = [xi, yi]jx j−1 i y j ix −(j−1) i y −j i = [xi, yi]2jxj−2i y j ix −(j−2) i y −j i = · · · = [xi, yi]j 2 = zj2.

As it turns out the states |aHZGui are eigenvectors of the group action of

multiplica-tion from the right by φj(g), whenever g ∈ HZG.

Lemma 6.12. Let h ∈ H, then

i) ∃l ∈ Cp such that for any a ∈ G, u ∈ Cr and φj as in definition 6.11 we have:

|aHZGu· φj(h)i = ω

u(j−j2_)l

ii) for any a ∈ G, u ∈ Cr and φj as in definition 6.11 we have:

|aHZGu· φj(z)i = ω

uj2

|aHZGui .

Proof. First we note the following two equalities:

∀h ∈ H : |aHZGu· hi = |aHZGui

∀z ∈ ZG : |aHZGu· zi = ω

u_|aHZ Gui

i) Let h be some element of H. Then φj(h) = hjzt, for some t ∈ Cp depending on h

and j. We will show that t = (j − j2_{)l, where l depends only on h. Let j} 0 be a

primitive root modulo p. Then φj0(h) = h

j0_zs_{, for some s ∈ C}

p. Set l = s(j0− j02),

and k = hzl. Then φj0(k) = h

j0_zl(j0−j20)zlj02 = kj0_{. Now since j}

0 was a primitive

root modulo p we have φj(k) = kj and therefore φj(h) = φj(k)φj(z−l) = hjzl(j−j

2₎

. Together with the above equalities this implies:

|aHZGu· φj(h)i = |aHZGu· h

j_zl(j−j2₎

i = ωu(j−j2_)l

|aHZGui .

ii) This second part follows immediately from the definition of φj and the above

equalities.

|aHZGu· φj(z)i = |aHZGu· z

j2

i = ωuj2

|aHZGui .

Now we will apply lemma 6.10 and 6.12 to create a hiding set for HZG in G. For

¯

a = (a1, a2, a3, a4) ∈ G4, ¯u = (u1, u2, u3, u4) ∈ Cp4, ¯j = (j1, j2, j3, j4) ∈ (F∗p)4 and g ∈ G,

we define the quantum state |Ψ¯a¯u¯j g i in C

|G|4

by: |Ψ¯a¯u¯j

g i = |a1HZG_u1 · φj1(g), a2HZG_u2 · φj2(g), a3HZG_u3 · φj3(g), a4HZG_u4 · φj4(g)i .

Our goal now is be able to efficiently generate triples (¯a, ¯u, ¯j) such that for every g ∈ HZGwe have |Ψ¯a¯gu¯ji = |a1HZG_u1, a2HZG_u2 a3HZG_u3, a4HZG_u4i. We call such triples

appropriate. The reason we look for such appropriate triples is that they give us a hiding set for HZG in G.

Lemma 6.13. If (¯a, ¯u, ¯j) is an appropriate triple, then {|Ψa¯¯u¯j

g i | g ∈ G} is a hiding set

for HZG in G.

Proof. Let supp(|Xi) denote the set of basis elements with non-zero amplitude in |Xi. First note that for every a ∈ G and u ∈ Cp we have supp(|aHZGi) = supp(|aHZGui).

Suppose g1 and g2 are in different left cosets of HZG, then φj(g1) and φj(g2)

re-main in different left cosets because φj is an automorphism of G. Because of this,

supp(|aHZG· φj(g1)i) and supp(|aHZG· φj(g2i) are contained in different left cosets

and are therefore disjoint. This implies that |Ψa¯¯u¯j

g1 i and |Ψ

¯ a¯u¯j

g2 i are orthogonal.

Now suppose g1 and g2 are in the same left coset of HZG, then g1 = gg2 for some

Do appropriate triples exist? In our definition of |Ψ¯a¯_gu¯ji we took four copies of |HZGui.

The reason we took four copies is that by doing so we gave ourselfs enough degrees of freedom to efficiently generate appropriate triples. Let (¯a, ¯u, ¯j) ∈ G4_{× C}4

p× (F ∗

p)4 and let

g be an element of HZG. Then g = hzt for some h ∈ H and t ∈ Cp, and by lemma 6.12

there exists an l ∈ Cp such that:

|Ψ¯a¯u¯j g i = |a1HZG_u1 · φj1(g), a2HZG_u2 · φj2(g), a3HZG_u3 · φj3(g), a4HZG_u4 · φj4(g)i = |a1HZG_u1 · φj1(hz t_{), a} 2HZG_u2 · φj2(hz t_{), a} 3HZG_u3 · φj3(hz t_{), a} 4HZG_u4 · φj4(hz t_)i = ωP4i=1ui(ji−ji2)l|a 1HZG_u1 · φj1(z) t , a2HZG_u2 · φj2(z) t , a3HZG_u3 · φj3(z) t , a4HZG_u4 · φj4(z) t_i = ωP4i=1ui(ji−j_i2)l+uij_i2t_|a 1HZG_u1, a2HZG_u2, a3HZG_u3, a4HZG_u4i .

We say that ¯u ∈ C_p4 is good if the following system of quadratic equations modulo p has a nonzero solution:

( P4 i=1ui(ji− ji2) = 0 P2 i=1uiji2 = 0, (6.2)

and we call a solution ¯j ∈ C_p4 of 6.2 a witness of ¯u being good. Using this lingo it is clear that if ¯u is good and ¯j is a witness of ¯u being good, than for any ¯a ∈ G4 _{we have}

that (¯a, ¯u, ¯j) is an appropriate triple.

What remains now is to investigate how likely a random ¯u ∈ C_p4 is good. Lemma 6.14. For every ¯a ∈ G4_{, we have that for a random ¯u ∈ C}4

p:

P[¯u is good] ≥ p − 9 2p . Moreover, when ¯u is good we can efficiently find a witness ¯j.

Proof. First we simplify the system of equations 6.2 by adding the second equation to the first equation. This results in the system of equations

( P4 i=1uij 2 i = 0 P2 i=1uiji = 0. (6.3)

To further simplify and solve 6.3, we set j3 = 1 and j4 = −1, and substitute v = u3+ u4

and w = u3− u4. This results in the system of equations

(

u1j12+ u2j22 = −v

u1j1+ u2j2 = −w = 0.

(6.4)

We will show that for random (u1, u2, v, w) ∈ Cp4, the reduced system 6.4 has a solution

(j1, j2) ∈ (F∗p)2 with probability at least (p − 9)/2p, and that the solution is easy to find.

We list two conditions under which we claim that we can efficiently find a solution (j1, j2) ∈ (F∗p)2. We will first determine the probability that the two conditions are

satisfied, after which we show that the conditions are sufficient for us to efficiently find a solution (j1, j2) ∈ (F∗p)2

i) u1 6= 0, u2 6= 0, u1+ u2 6= 0 and j2 6= 0,

ii) D = −4u1u2(w2+ (u2+ u1)v) is a quadratic residue.

We have with probability 4/p that i) is not satisfied. Because D is linear in v we have that D is uniformly distributed over Cp, therefore the probability of D being a quadratic

residue equals #(quadratic residues)/p = ((p − 1)/2)/p = (p − 1)/2p. So, the probability that i) and ii) are satisfied is at least (p − 1)/2p − 4/p = (p − 9)/2p.

Suppose i) and ii) are satisfied. Then by i) we can substitute j2 = −w+u_u1j1

2 into the first

equation of 6.4 and get in j1 the quadratic equation (u1u2+u21)j12+2u1wj1+(w2+vu2) =

0. This is a quadratic equation whose discriminant is D. Now since D is a quadratic residue modulo p we can apply Tonelli’s algorithm (see [9]) to efficiently compute a square root of D modulo p and thus find a solution j1 ∈ F∗p. Now since j2 6= 0 we have

that we found a solution (j1, j2) ∈ (F∗p)2 to 6.2 and thus that ¯u is good.

Now that we have discussed the existence of appropriate triples we can describe an efficient hiding procedure for HZG in G.

Theorem 6.15. Let G be an extraspecial p group, and let f hide H in G. Then there is an efficient quantum procedure which hides HZG in G.

Proof. We describe the efficient hiding procedure. 1. Compute for some ¯a ∈ G4 _{the superposition:}

1 p2 4 O i=1 X ui∈Cp |uii |aiHZG_uii .

2. Measure the first registers for a ¯u ∈ C4

p. If ¯u is good then find a solution ¯j ∈ (F ∗ p)4

that witnesses ¯u and continue, else go back to step 1. 3. Using the additional input |gi compute |Ψ¯a¯u¯j

g i.

Step 1 can be done efficiently by lemma 6.10. We have by lemma 6.14 that we only have to repeat step 1 a constant number of times. Finally by lemma 6.13 we have that the output of the above procedure is indeed hiding HZG in G.

Now that we have derived an efficient quantum hiding procedure for HZG in G and

have reduced finding H to finding HZG∩ G in G we conclude that the hidden subgroup

problem in extraspecial groups can be solved efficiently.

Theorem 6.16. Let G be an extraspecial p-group, and let f hide H in G. Then there is an efficient quantum procedure which finds H.

7. Conclusion

As we have seen, the hidden subgroup problem has some interesting instances. Some of these instances we can efficiently solve on a quantum computer, think of the discrete logarithm. However, there are also instances which we cannot yet efficiently solve on a quantum computer. The main characteristic as to why some instances can be efficiently solved and other can’t is how far the group in which we solve the hidden subgroup problem is removed from being abelian. In chapter 3 we have seen that for the hidden subgroup problem in abelian groups we have an efficient quantum algorithm, but also that a natural generalization of this algorithm to non-abelian groups fails. We have yet to find a uniform algorithm that solves the hidden subgroup problem in an arbitrary group. Over the past years a lot of research has been done to solve the hidden subgroup in non-abelian groups. This research started at the algorithm for the hidden subgroups in abelian groups and from there moved to algorithms for the hidden subgroup problem in groups that are increasingly further removed from being abelian.

For future work one could try to construct an algorithm to determine whether or not a graph is vertex-transitive. A graph G is vertex-transitive if Aut(G) is a transitive subgroup of Sn. Since Aut(G) can be viewed as a hidden subgroup, see chapter 2

and 5, one could try and determine if it is a transitive subgroup of Sn using a quantum

algorithm along the lines of the algorithms and experiments proposed throughout this thesis. If one is able to construct such an algorithm than it would also solve the graph isomorphism problem for vertex-transitive graphs, because two vertex-transitive graphs G1 and G2 are isomorphic if and only if their disjoint union G1t G2 is vertex-transitive.